Network Monitoring With nmap
Asset management is a problem we help many of our customers with. What are an organization’s assets, and how accurate and up-to-date is this information? Even with a mature asset management program, organizations want some form of validation of their result.
From a resource standpoint, this can be difficult to achieve and sustain. Depending on how large your network is, it may take a large amount of time to cover your entire organization. Conversely, it may not make sense to implement an expensive network scanning solution if your network is small or static. Tools such as Nessus will not provide a lot of value for smaller networks. There may not be enough of a need for dedicated personnel to perform constant monitoring. What are the alternatives to dedicated commercial scanning systems?
For many of our customers, we like to use asset-focused nmap
scanning to stay on top of network changes. We aren’t concerned with vulnerabilities here — only assets. Specifically, monitoring changes in the network is a primary concern. If something in your organization changes, it can be important to know as soon as it does.
How it works
Our solution is a simple shell script that takes a list of IP addresses, an email, and an output directory.
$ ./nmap-diff.sh -h
Carve Systems Nmap network scanner.
Usage: ./nmap-diff.sh [options].
REQUIRED
-f|--file: The input file with an IP list.
--email: Your email address.
-o|--output: The output directory.
OPTIONAL
-h|--help: Display this help summary.
EXAMPLE
./nmap-diff.sh -f ips.txt --email EMAIL.com -o OUTPUT-DIR/nmap-scanning/
The tool runs nmap
against the provided IPs with minimal intrusiveness (or whichever options you wish), which helps prevent nmap
from causing stability issues on the services it is scanning. In particular, the options we use include the following:
-v: Increase verbosity level
-sV: Probe open ports to determine service/version info
--top-ports 5000: Scan the 5000 most common ports
-T4: Set timing template for a balance of speed and depth, limiting scan aggression
-Pn: Treat all hosts as online -- skip host discovery
-R: Always DNS resolve
Next is where the network monitoring takes place, after the first scan is conducted to establish a baseline, the previous most recent scan is taken and compared to the newly completed scan using ndiff
. All completed scans are saved by scan time and an email with results is sent to the specified email address using mutt
.
Further optimization
This process can be taken a step further. crontab
can be used to set up automated scans at any specified frequency (e.g. monthly, weekly, nightly). ndiff
can summarize changes. With a review process that matches the scan frequency, it is not simple to find unexpected changes in network assets.
Use cases
While relatively simple, this tool has many benefits:
- It gives you an up-to-date view of your organization’s network attack surface
- It provides monitoring for instances of malware (e.g. an infected machine opens up an ssh port for further access)
- It can catch changes in, both intentional and unintentional and allow users to act accordingly.
So far, we’ve had lots of positive security outcomes from this simple script. It detected malware that had opened a port on a compromised host, it helped validate changes an organization was making in real time, and in other instances, revealed servers that should not have been externally exposed. Consider deploying this script, or a similar process if this is not already a tool in your infrastructure security arsenal.
Download the script
The script is available on GitHub as a Gist. Check it out here.